This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

sentinel integration, azure-sentinel-update-incident, not able to set to active

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

sentinel integration, azure-sentinel-update-incident, not able to set to active

jboyd98
L2 Linker

‎02-14-2022 09:44 AM

I can close an azure incident in xsoar war-room with the following:

!azure-sentinel-update-incident incident_id="xx-xxxxx-xxxxx" status="Closed" classification="Undetermined"

 

However when i try to re-open the incident in azure from war-room with the following i get the subsequent error:

!azure-sentinel-update-incident incident_id="xx-xxxxx-xxxxx" status="Active"

 

Failed to execute azure-sentinel-update-incident command. Error: [BadRequest 400] classification can only be set for incidents with status 'Closed'.
 
Closing a ticket in azure requires classification, where as re-opening the incident in azure "clears" the previous set classification.
It feels like there is some sequencing issue with the xsoar "update incident" command above where it's confused about wiping / not setting the classification when re-opening the ticket.
 
Goal is to be able to set an Azure Incident back to active status from xsoar war-room and then eventually script it to happen when a xsoar ticket is re-opened.
 
Any insight is appreciated, thanks Boyd
 
0 Likes Likes
2 REPLIES 2

gfilippov
L3 Networker

‎02-19-2022 12:21 PM

Hi,
Further instructions were sent over the support case you've opened, since this discussion board is public- let's continue the discussion over the private support case, on which logs can be shared,
thanks.

0 Likes Likes

asawyer
L3 Networker

‎02-22-2022 05:05 PM

Hi @jboyd98, I was unable to reproduce this issue using the latest version of the Azure Sentinel content pack (1.3.1). Please make sure you have updated the pack to the latest version.

0 Likes Likes
  • 1997 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks